FORT MEADE, Md. - The National Security Agency (NSA) is proud to partner with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United Kingdom National Cyber Security Center (NSC-UK) on CISA’s Cybersecurity Technical Report (CTR) “Identifying and Mitigating Living Off the Land,” which provides guidance on defending against common living off the land (LOTL) techniques. This release follows a May 2023 joint Cybersecurity Advisory on LOTL techniques.
Rather than introducing malicious code to a system, LOTL threats use existing tools on the system to circumvent security capabilities, which makes these cyberattacks more difficult to detect and mitigate. These techniques can occur in multiple types of IT environments including on site, in the cloud, or hybrid environments. People’s Republic of China and Russian Federation state-sponsored actors often use these techniques to evade detection.
“Living off the land attacks have galvanized the cybersecurity community,” said Rob Joyce, NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS). “More than half a dozen international and domestic partner organizations signed on to our previous living off the land Cybersecurity Advisory. Industry also allowed us to reference their important contributions.
“Together with our partners and allies, we’re shining a light on attacks that occur in dark corners, and illustrating how the PRC behaves irresponsibly by holding civilian critical infrastructure at risk. CSAs like this arm all of us to improve defense and bring together a coalition that can do more as a group than any one of us can do alone,” said Joyce.
The CSA outlines how and why LOTL attacks are effective and includes best practice recommendations that are part of a multi-faceted and comprehensive approach to mitigating LOTL cyber threats. Best practices for prioritizing detection and hardening targets include implementing logging that allows for better detection of malicious LOTL activities, implementing authentication controls, maintaining user and admin privilege restrictions, auditing remote access software, establishing baseline behaviors, and refining monitoring tools and alerting mechanisms. The advisory also contains recommendations for software and technology manufacturers, technical details on threat actor activity, and information on network defense weaknesses.
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations